2 Answers
2

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means e.g .key based login).

crypt() is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search key is a user's typed password. Salt is a two-character string chosen from the set [a–zA–Z0–9./]. Following are some status exception values.

"NP" or "!" or null - No password, the account is locked, no user can log in.

"LK" or "*" - the account is Locked, user will be unable to log-in

"!!" - is a Red Hat convention that means a password has never been set
before. It is treated the same as "!"

This information contradicts what actually says in (my version of) man shadow. There is says that * or ! would mean a locked account..And for that matter that field can contain anything you want that is not a valid resolut of crypt function. So you can actually write in plain english ":this account is disabled:". If the 2nd field is empty, ie :: that means there's no password/any password will work.
–
MxxOct 26 '12 at 18:25

No, an account with !! in the password field of /etc/shadow can still log in. Just not with a password. A common case is an account that only allows ssh logins with a key pair.
–
GillesDec 7 '11 at 0:01